Skip to content

[release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30#3082

Merged
estesp merged 1 commit intocontainerd:release/1.2from
thaJeztah:1.2_backport_bump_runc
Mar 11, 2019
Merged

[release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30#3082
estesp merged 1 commit intocontainerd:release/1.2from
thaJeztah:1.2_backport_bump_runc

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Mar 7, 2019

backport of #3081

This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.

changes included:

Signed-off-by: Sebastiaan van Stijn [email protected]
(cherry picked from commit b8d40b3)
Signed-off-by: Sebastiaan van Stijn [email protected]

@thaJeztah
update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30
b7e7f11 
This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.

changes included:

- opencontainers/runc#1973 Vendor opencontainers/runtime-spec 29686dbc
- opencontainers/runc#1978 Remove detection for scope properties, which have always been broken
- opencontainers/runc#1963 Vendor in go-criu and use it for CRIU's RPC definition
- opencontainers/runc#1995 exec: expose --preserve-fds
- opencontainers/runc#2000 fix preserve-fds flag may cause runc hang
- opencontainers/runc#1968 Create bind mount mountpoints during restore
- opencontainers/runc#1984 nsenter: cloned_binary: "memfd" cleanups

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit b8d40b3)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
thaJeztah commented Mar 7, 2019
View reviewed changes
vendor/github.com/opencontainers/runc/vendor.conf
# than a commit ID so it's much more obvious what version of the spec we are
# using.
github.com/opencontainers/runtime-spec 5684b8af48c1ac3b1451fa499724e30e3c20a294
github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4
Copy link
Copy Markdown
Member Author

@thaJeztah thaJeztah Mar 7, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want the vendored version to match this one?

@codecov-io
Copy link
Copy Markdown

codecov-io commented Mar 7, 2019

Codecov Report

Merging #3082 into release/1.2 will increase coverage by 0.61%.
The diff coverage is n/a.

Impacted file tree graph

@@               Coverage Diff               @@
##           release/1.2    #3082      +/-   ##
===============================================
+ Coverage        43.66%   44.27%   +0.61%     
===============================================
  Files              101      101              
  Lines            10754    10809      +55     
===============================================
+ Hits              4696     4786      +90     
+ Misses            5329     5286      -43     
- Partials           729      737       +8
Flag Coverage Δ
#linux 47.38% <ø> (+0.03%) ⬆️
#windows 40.75% <ø> (ø) ⬆️
Impacted Files Coverage Δ
metadata/gc.go 74.76% <0%> (+13.24%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f3ab47d...b7e7f11. Read the comment docs.

@cyphar
Copy link
Copy Markdown
Contributor

cyphar commented Mar 8, 2019

You probably don't want to backport this yet -- I just realised the bind-mount approach isn't fool-proof. I'm working on a follow-up patch that should be ready soon.

@thaJeztah thaJeztah changed the title [release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 [WIP][release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 Mar 8, 2019
@Random-Liu
Copy link
Copy Markdown
Member

Random-Liu commented Mar 8, 2019

So based on #3082 (comment), I guess this won't be part of 1.2.5?

@cyphar
Copy link
Copy Markdown
Contributor

cyphar commented Mar 10, 2019

You can drop the WIP -- I've closed opencontainers/runc#2006 after deciding that running CAP_SYS_ADMIN (in a non-userns container with AppArmor disabled) was always unsafe and it makes no sense to block a working fix based on that.

@fuweid fuweid mentioned this pull request Mar 11, 2019
Merged
@crosbymichael
Copy link
Copy Markdown
Member

crosbymichael commented Mar 11, 2019

LGTM

@estesp estesp changed the title [WIP][release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 [release/1.2 backport] update runc to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 Mar 11, 2019
@estesp
Copy link
Copy Markdown
Member

estesp commented Mar 11, 2019

Based on @cyphar's comment, I'm removing the [WIP] from the title as sounds like there will be no further changes, and we can include the updated runc in our 1.2.5 release // cc: @Random-Liu

estesp
estesp approved these changes Mar 11, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@estesp estesp merged commit 96a0d28 into containerd:release/1.2 Mar 11, 2019
@thaJeztah thaJeztah deleted the 1.2_backport_bump_runc branch March 11, 2019 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estesp estesp estesp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@thaJeztah @codecov-io @cyphar @Random-Liu @crosbymichael @estesp